SPI Dynamics: JavaScript capability puts search users at risk

A leading researcher with SPI Dynamics announced at ToorCon last week that search engine users are at risk of having their sensitive search terms revealed with a simple technique using JavaScript.

According to Billy Hoffman, lead research engineer for SPI Labs, the technique can scan behind firewalls on corporate networks, works on any web browser and is not a browser bug so there is no patch to fix it.

"It is not so much a vulnerability as it is an unintended capability that JavaScript has that it can tell whether you have visited a URL or not," he told SCMagazine.com. "So if we can tell whether you visited a URL we can expand that to say, ‘Did you visit the URL that's for say the results page for a query on Google.'"

Hoffman showed a proof-of-concept (PoC) of the technique at the ToorCon hacker conference. The principal behind the technique is to build code that automatically searches for any permutations or combinations of search terms that the hacker wants to confirm the user has visited.

"When you search for ‘cats' you view a specific URL, so if we check to see whether you visited that URL, we can check to see whether you searched for ‘cats,'" he said. "So we can do this and we can figure out what terms you are searching for in all of the major search engines."

The implications that this kind of technique could have on corporate espionage are limitless, he said.

"There are easier ways to keep tabs on what your VPs are doing," he said. "But let's say I'm R.J. Reynolds and I want to see if any of my VPs are searching for whistleblower logs or things like that. It would be easy to do."

Similarly, he said that web commerce sites could easily keep tabs on their customers.

"For example if you were to visit Amazon.com and you searched DVD players, Amazon.com could give you a page saying ‘Here are all of our DVD players' and then push down a piece of code to see if you're checking their competitors' web pages and use it to figure out how loyal a customer you are," he said. "It's interesting to see how companies will use this. Will they worry about backlash and not do it?"

Hoffman believes that code similar to his PoC could also be easily delivered in a cross-site-scripting attack payload and used maliciously. "We didn't want to arm people with something dirty, we just wanted to show you can do a lot of things with this," he said. "We needed to get the information out there that these are threats and that you can do this."

He warned users to clear their search history frequently to prevent techniques like this from working.